Conventional storage security appliances are used to protect data in direct attached storage (DAS), network attached storage (NAS), storage area network (SAN), tape, and other storage environments. Conventional storage security appliances protect data by encrypting the data before it is stored or as it is stored. An example of such a conventional storage security appliance is DataFort® by Decru® of Redwood City, Calif. Such conventional storage security appliances may be added to a storage environment that uses in-band signaling (wherein metadata and control information are sent between a host and a storage device using the same protocol as data), or a storage environment that uses out-of-band signaling (wherein metadata and control information are sent using a different protocol from that used to send data).
FIG. 1 illustrates a conventional network architecture 100 in which out-of-band signaling is used to manage a storage device. The conventional architecture 100 includes a host or client 105, a storage device 110, and a conventional security appliance 125. The storage device 110 includes a control module 115 for managing the storage device 110, and a storage module 120 for storing data on, deleting data on, and/or retrieving data from the storage device 110.
The conventional security appliance 125 is disposed in a data path between the host or client 105 and the storage device 110. The conventional security appliance 125 intercepts, encrypts, and decrypts data transmitted between the host/client 105 and the storage device 110, thus securing data stored on storage device 110. Therefore, all data traffic (e.g., unencrypted data traffic 130 and encrypted data traffic 135) flows through the conventional security appliance 125.
In the conventional network architecture 100, no control traffic 140 flows through the conventional security appliance 125. Therefore, when control traffic 140 includes commands that cause the control module 115 to modify the storage device 110 (e.g., to add a new drive, modify an existing drive, change permissions to a drive, etc.), the conventional security appliance 125 is uninformed of such modifications. To enable the conventional security appliance 125 to take advantage of modifications to the storage device 110, additional commands must be sent to the conventional security appliance 125 to alert it to the changes made on the storage device 110. For example, if a new drive is provisioned on the storage device 110, the conventional security appliance 125 cannot write to the new drive until an administrator reconfigures the conventional security appliance 125 to add information concerning the new drive. Moreover, for new drives created without the knowledge of the conventional security appliance 125, the conventional security appliance 125 may not know how to encrypt data stored on the drive (e.g., what encryption key to use). This may add an additional burden to an administrator of the storage device 110.